how to stop/start/restart iptables?

plan9 · 08-04-2004, 09:19 PM

wow- slackware has seriously humbled me today. yesterday was great: i learned alot, but today i got slapped around big time!

anyways-

i'm running slackware-current and i'm loading rc.firewall at boot. I had a problem today with ntalk and thought that it might be firewall related so i figured i'd turn it off and see if it made a difference.

how do you turn a slackware iptables /etc/rc.d/rc.firewall off with out rebooting?

i am seriously looking forward to the day when i can answer more questions than i need to ask. until then, thanks for helping!

-9

Tinkster · 08-04-2004, 09:28 PM

In the last 4 versions of slack that I've used (including
10) there was no rc.firewall, so ...

How about a
cat /etc/rc.d/rc.firewall
and check how it works? :)

Cheers,
Tink

foo_bar_foo · 08-04-2004, 10:02 PM

i will asume you made the firewall script yourself
make another script called firewall.stop
this is turning off NAT routing as well
so change if you don't want that
also chmod 755 so it will run

Code:

#!/bin/bash
##/etc/init.d/firewall.stop
# deactivate IP-Forwarding 
echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -Z
/sbin/iptables -F
/sbin/iptables -t nat         -F PREROUTING
/sbin/iptables -t nat         -F OUTPUT
/sbin/iptables -t nat         -F POSTROUTING
/sbin/iptables -t mangle      -F PREROUTING
/sbin/iptables -t mangle      -F OUTPUT
/sbin/iptables -X
/sbin/iptables -P INPUT       ACCEPT
/sbin/iptables -P FORWARD     ACCEPT
/sbin/iptables -P OUTPUT      ACCEPT

plan9 · 08-05-2004, 06:01 PM

Thank you both for your help. You know, when I was getting my slack box up I wanted to get a firewall up asap. I found one that did what I was looking for (drop everything but ssh) and followed the directions that said put into /etc/rc.d/rc.firewall.

the rc.firewall file did exist, but it was empty. Below is a copy of what I have been using. I know that you're probably shaking your heads because I obviously have no idea how iptables works (yes, it's true- I admit it) but please be patient with me- there is alot to learn.

a check with nmap shows that i have no ports open- and i could get into my box with ssh, so after I had the rc.firewall script installed I just went on to something else and tabled the firewall question until i had more time to get back to it (now- i suppose is a good time).

Does slack come with another utility for firewalls? I thought that you had to write your own script for rc.firewall?! I bet anything out there will run on slack, and it's just up to the individual to figure out what they want to use... so many options with slack.

anyways, here's the rc.firewall- and thanks again for the help!!

#!/bin/bash

# rc.firewall for
# Basic Slackware Security

# These two rules set the default policies, i.e. what to do if a
# packet doesn't match any other rule, to drop any packet coming
# into (INPUT) or routing through (FORWARD) the box.
iptables -P INPUT DROP
iptables -P FORWARD DROP

# These rules are added (-A) to the INPUT chain. They allow packets
# from any previously established connections and accept anything
# from the loopback interface.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT

# This rule added to the INPUT chain accepts any ssh connections.
iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT

Tinkster · 08-05-2004, 06:12 PM

That looks like a
iptables -F
for stopping, and
/etc/rc.d/rc.firewall
for starting to me ;)

Cheers,
Tink

plan9 · 08-06-2004, 02:58 PM

Tinkster:

Thanks for your post. When I typed "iptables -F" I lost my connection to my box (i connect with putty). I had to go and type "/etc/rc.d/rc.firewall" at the terminal to be able to reconnect with putty.

I think that I will now go and read up on how iptables works, as my ignorance is bothering me!!

Please let me know if you know of a good beginners guide. I'll hit the web first, then the man pages (which can be hard to comprehend).

Thanks again!

Charalambos · 08-06-2004, 03:12 PM

http://iptables-tutorial.frozentux.n...-tutorial.html
http://www.netfilter.org/

foo_bar_foo · 08-06-2004, 03:41 PM

Quote:

Originally posted by plan9
Tinkster:

When I typed "iptables -F" I lost my connection

yea
this stuff is easy -- all you need is "man iptables" to figure it out
look at what i put
-Z zero out the counters (default filter table)
-F flush the rules (default filter table)
-F flush the rules for (-t = table) nat and mangle tables
note that modern kernels have three other built-in chains for mangle that go unused by me but possibly i should have included them as well in my stop script !
then:
-X delete the chain
-P now i have to set some new policies
namely that INPUT FORWARD and OUTPUT should function normally (default filter table)

like majic -- firewall filtering is stopped and full functionality is restored

Tinkster · 08-06-2004, 04:40 PM

Quote:

Originally posted by plan9
[B]Tinkster:

Thanks for your post. When I typed "iptables -F" I lost my connection to my box (i connect with putty). I had to go and type "/etc/rc.d/rc.firewall" at the terminal to be able to reconnect with putty.

Sorry about that, I didn't think you'd be using a NATed
connection but rather be on the local network or even
console when you asked. And yes, if the machine you're
talking to is on an interface that is being handled by the
firewall (which NATing is) you'll fall off, too, when you
turn the firewall off :)

Cheers,
Tink